BT

Angular 1.X Usage Banned in Firefox Extensions

| by David Iffland Follow 4 Followers on Oct 24, 2016. Estimated reading time: 2 minutes |

The bitwarden team found out the hard way that the technology they built their Firefox extension upon — Angular 1.5.8 — was banned.

In a bug report, the team says they wanted to bring their extension to Firefox (it's been available in Chrome), but the add-on linter rejected their extension because of the presence of Angular 1.5.8. They were using a specific version, but it turns out every version of Angular 1.X is banned from use in Firefox extensions.

This was not necessarily a vulnerability with Angular, but more about the way Angular 1.X and other libraries interact with the Firefox extension system and the page loaded in the browser. Martin Probst on the Angular team described the problem:

Angular itself is fine, and there's no problem with escaping or eval'ing per se.

However there is a corner condition in which Angular being present in an extension might weaken some security measures. It requires multiple issues to happen together, including the victim page being vulnerable in the first place. I'm actually not sure if that is the issue that Mozilla was thinking about, but it is a problem. We will put some defense in depth into Angular to mitigate this, but I believe it's a general issue with how extensions are handled, not limited to Angular.

 

Complicating the issue is that while Firefox knew about the Angular ban, they didn't share it with Google. Andreas Wagner from Mozilla says this was on purpose:

Unfortunately, we were not able to report them to Angular as the security researcher who found them asked us to not share them.

It's not clear why the researcher didn't also contact the Angular team directly.

This caused some teeth gnashing in the community, but the unknown researcher in question and Google have now been in contact and a fix is in the works. Much of the discussion pointed to a feature in Angular 1.X called the Expression Sandbox. Google has already decided to remove the Expression Sandbox in version 1.6. But Probst says the sandbox is not the cause of the ban:

  • We understand the underlying concern better now after talking to the researcher.
  • The issue is unrelated to sandbox bypasses.
  • There is a (not super high priority) security issue. It's not really specific to Angular, but Angular makes it easier to exploit.
  • We believe the problem can be mitigated between Angular and Firefox. I'm working on a fix.

Until the fix is in, developers will be unable to ship a Firefox extension with Angular 1.X involved.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT